Description: Slides from an NSA Turbulence presentation describe two of the agency’s specialised implants, aimed at compromising virtual private networks (VPNs) and online telephony (VOIP): see the Intercept article How the NSA Plans to Infect ‘Millions’ of Computers with Malware, 12 March 2014.

■ TURMOIL VPN extracts metadata from each key exchange and sends to the
CES TOYGRIPPE metadata database. This database is used by SIGDEV
analysts to identify potential targets for further exploitation.

► VPN Phase 2: Targeted IKE Forwarding (Spin 15)

- TURMOIL VPN looks up IKE packet IP addresses in KEYCARD.

■ If either IP address is targeted, the key exchange packets are forwarded to
the CES Attack Orchestrator (POISON NUT) for VPN key recovery.